We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IMPORTANT! Have you received an email to your forum username?
SugarSpun
Posts: 8,559 Forumite
NEW UPDATE 10/12/10 - PLEASE READ
UPDATE NOTE - FOR FULL INFO PLEASE READ
Hi folks,
We just wanted to update everyone about what has been going on for the past couple of weeks since this thread was originally posted. The technical team here has been working incredibly hard both investigating and making changes. Thank you to all the users above who’ve been helping and guiding others.
Was there a new breach?
- We had reported previously we were aware of a breach in November 2009 and had since worked very hard on further tightening the security since that point (including external consultants to assess and analyse risk and improve procedures). One key question was whether the email sent was part of that breach or a new one.
- So far, we still have no confirmed reports of any forumites that joined in 2010 getting the spam email. A number of people who said in the thread that they had received one found they were mistaken (either about join date or had not received the email discussed) when we looked into it
- The poll results suggested 9% of the recipients of the email joined in 2010. However none of these have been in contact with us so that we can verify it. This is just about within the margin of error one may expect when taking into account wrong clicks, people being mistaken and possible malicious votes.
- We have received copious amounts of emails from people who joined after Nov 2009 saying they didn’t get the email – far outweighing those who say they did. Also many members who'd changed their login email address since November 2009 report the spam/Trojan email went to their old email address not the changed ones.
- Coupled with our technical team’s review of the forum’s code, and possible security risks, all of this evidence points to no new breach since the one we are aware of in November 2009. However, we are still more than willing to look at any evidence to the contrary and would ask you please email it to [EMAIL="webmaster@moneysavingexpert.com"]webmaster@moneysavingexpert.com[/EMAIL].
What action has been taken?
- Even though it seems there has been no new breach – we have conducted a thorough review and security analysis AS IF there had been, both as a preventative measure and to try to predict any potential weaknesses or breaches for the future.
- The technical team have undertaken a thorough review of the forum’s underlying code, to find points which we could try and make even more secure. Obviously we won’t be detailing exact measures taken as this could be useful information for any malicious hackers roaming the web.
- The technical team have also taken steps to make it harder for large scale harvesting of email addresses, in the event that we were hacked in future.
- While we don’t believe any access to the password file has happened (and it would be very difficult to do), as a precaution for the future we have added an extra warning when users choose a password, advising never to choose something you use for other websites that store sensitive personal information about you.
- While we have no indication of any breach of Private Messages during our investigation, we noted that some people used PMs as if they were a secure form of communication. To prevent this extra warnings have been added whenever users compose a Private Message (PM), reminding them not to send sensitive personal details via PM.
What has been done about the senders of the trojan?
- We contacted the police computer crime unit about this and filed a statement.
- The spam emails sent out contained links, which we advised users not to click. After reporting this to the authorities to investigate we have been informed that there were links to three different locations.
– Only 1 of these contained any malicious files. The only way you can have been infected is if you opened the email, clicked on the link, downloaded the zip file and installed the fake program.
- The police inform us that the majority of the big anti-virus software providers have now updated their products to enable them to tackle this new Trojan.
- The authorities in the countries where the spam emails originated are also conducting investigations.
Please let the webmaster know any useful information about this via email.
We just wanted to update everyone about what has been going on for the past couple of weeks since this thread was originally posted. The technical team here has been working incredibly hard both investigating and making changes. Thank you to all the users above who’ve been helping and guiding others.
Was there a new breach?
- We had reported previously we were aware of a breach in November 2009 and had since worked very hard on further tightening the security since that point (including external consultants to assess and analyse risk and improve procedures). One key question was whether the email sent was part of that breach or a new one.
- So far, we still have no confirmed reports of any forumites that joined in 2010 getting the spam email. A number of people who said in the thread that they had received one found they were mistaken (either about join date or had not received the email discussed) when we looked into it
- The poll results suggested 9% of the recipients of the email joined in 2010. However none of these have been in contact with us so that we can verify it. This is just about within the margin of error one may expect when taking into account wrong clicks, people being mistaken and possible malicious votes.
- We have received copious amounts of emails from people who joined after Nov 2009 saying they didn’t get the email – far outweighing those who say they did. Also many members who'd changed their login email address since November 2009 report the spam/Trojan email went to their old email address not the changed ones.
- Coupled with our technical team’s review of the forum’s code, and possible security risks, all of this evidence points to no new breach since the one we are aware of in November 2009. However, we are still more than willing to look at any evidence to the contrary and would ask you please email it to [EMAIL="webmaster@moneysavingexpert.com"]webmaster@moneysavingexpert.com[/EMAIL].
What action has been taken?
- Even though it seems there has been no new breach – we have conducted a thorough review and security analysis AS IF there had been, both as a preventative measure and to try to predict any potential weaknesses or breaches for the future.
- The technical team have undertaken a thorough review of the forum’s underlying code, to find points which we could try and make even more secure. Obviously we won’t be detailing exact measures taken as this could be useful information for any malicious hackers roaming the web.
- The technical team have also taken steps to make it harder for large scale harvesting of email addresses, in the event that we were hacked in future.
- While we don’t believe any access to the password file has happened (and it would be very difficult to do), as a precaution for the future we have added an extra warning when users choose a password, advising never to choose something you use for other websites that store sensitive personal information about you.
- While we have no indication of any breach of Private Messages during our investigation, we noted that some people used PMs as if they were a secure form of communication. To prevent this extra warnings have been added whenever users compose a Private Message (PM), reminding them not to send sensitive personal details via PM.
What has been done about the senders of the trojan?
- We contacted the police computer crime unit about this and filed a statement.
- The spam emails sent out contained links, which we advised users not to click. After reporting this to the authorities to investigate we have been informed that there were links to three different locations.
– Only 1 of these contained any malicious files. The only way you can have been infected is if you opened the email, clicked on the link, downloaded the zip file and installed the fake program.
- The police inform us that the majority of the big anti-virus software providers have now updated their products to enable them to tackle this new Trojan.
- The authorities in the countries where the spam emails originated are also conducting investigations.
Please let the webmaster know any useful information about this via email.
UPDATE NOTE - FOR FULL INFO PLEASE READ
Insert and explanation by MSE Dan - web editor
Hi folks,
The thread below has brought to our attention an email being received by forum users, purporting to be from 'Money Expert' and using forum usernames.
Thanks for letting us know about this - we have been investigating all morning and it is definitely malicious spam. It is absolutely not from us, and we haven't (and never would) sell or pass on any data.
Crucially, it contains a link leading to a type of virus called a 'trojan' so please DO NOT CLICK THAT LINK! (read about Free Anti-Virus software)
Here is an example of the email, so you know what you are looking for:
Hi XXXXX,
MoneyExpert: News-Tool.
At MoneyExpert, we believe it's only fair that you can compare products from the whole of the marketplace. After all, it's the only way to be sure you're not missing that perfect deal. That's why we insist on being independent, which means we're never biased towards any particular company. We provide details on every product from all of the major providers in the market. We partner with Defaqto, the people who deliver product data to the FSA, to ensure that our tables are accurate and complete. You can find out more about Defaqto at www.defaqto.com.
Download "MoneyExpert News-Tool":
[link removed]
_________
MoneyExpert is VAT registered. Our VAT registration number is 825281335.
If you got this email and didn't open it, or opened it and didn't click the link in it there is nothing to worry about.
We're sorry for any problems this may have caused you. The e-mail did not come from and has nothing to do with Moneyexpert or defaqto, their names have been used to try and trick recipients into clicking the link.
We are still investigating how the e-mails were sent to so many of our users but we've found no obvious breach at this stage. We'll let you know more as it comes to light but it's possible that the e-mail addresses were harvested during a breach that happened last year. Please see this post for more details.
Please help us work out what's going on...
We think that only forumites who joined before Dec 2009 will be receiving these emails, as they relate to a breach in the past. However, if you are a more recent member, it would be a massive help if you can post below and let us know.
Thanks for all the feedback so far, and sorry again for the hassle. We'll post any more updates here
Dan
Update by MSE Martin at 10.30pm Wed
Having been out of the office and contact for most of the day I wanted to write a note now I can, though the senior team have been on this all day.
We are of course working hard to get to the bottom of this. The best info we have so far, is this is related to an old forum breach we think we had last year. But we have to analyse it. Please vote in the poll above, as it will help us determine whether this is only affecting older users or not. Indications are it is being sent to old usernames which shows that being likely.
We have yet to verify anyone who joined in 2010 got the email, so if you have, we'd kindly request you urgently email [EMAIL="webmaster@moneysavingexpert.com"]webmaster@moneysavingexpert.com[/EMAIL] with your username so we can check the logs and a copy of the email received so we can investigate.
The forum is run using a 3rd party software called Vbulletin, and we rely on its protection to look after the files, plus over the last year we've been through a major exercise to try to tighten it up with our own security on top.
An upgrade to that software is available and it is on our list, but it is a massive exercise of many months to rebuild all the bespoke features we've added (many on users' request) and isn't something that can happen quickly.
Thankfully, we don't hold any personal data on individuals - barring email addresses. That is and always has been a deliberate policy because I don't want us to data mine individuals and it means in the event something like this happens (and determined hackers try all big sites (Nasa, Facebook, the Navy and banks have been hacked at times) the worst that can happen I hope is inconvenience. Of course, it's also an important reminder to ensure you have anti-virus software (see free anti-virus).
If we have been hacked whether recently or in the past, I of course apologise wholeheartedly. It's not for want of trying - we've been through some major security exercises over the last year including bringing in outside consultants to check for any flaws. Yet this unfortunately reflects the murkier side of the internet.
We will further continue looking at this in the morning. My tech team and our server company's security team have been looking it at this and the access logs. No indication of a recent breach has been found yet (as far as I'm aware, though it is 10.30pm and I can't get hold of them all).
Regards
Martin
____________________________________________________
Back to the original post...
Webby
This morning I received an email from MoneyExpert.com addressed to my MSE username:
SugarSpun,
MoneyExpert: News-Tool.
At MoneyExpert, we believe it's only fair that you can compare products from the whole of the marketplace. After all, it's the only way to be sure you're not missing that perfect deal. That's why we insist on being independent, which means we're never biased towards any particular company. We provide details on every product from all of the major providers in the market. We partner with Defaqto, the people who deliver product data to the FSA, to ensure that our tables are accurate and complete. You can find out more about Defaqto at www.defaqto.com.
Download "MoneyExpert News-Tool":
[link removed]
_________
MoneyExpert is VAT registered. Our VAT registration number is 825281335.
I noticed the VAT registration number on the bottom so I googled it and came up with this. It seems to be a legitimate company that's sent out a mail shot to email addresses it's acquired from somewhere - can it be that MSE has sold our email addresses? This is the only site I've used my primary email address for since I wanted to sign up to the weekly email at the same time, and I always click the "no third party" sites.
May we have an explanation please?
Organised Birthdays and Christmas: Spend So Far: £193.75; Saved from RRP £963.76
Three gifts left to buy
If you received the spam email addressed to your forum name pls vote (see post) 1101 votes
I joined the forum before 2010
90%
999 votes
I joined the forum this year
9%
102 votes
0
Comments
-
Can you edit out the link to the zip file please?
Just in case it is dodgy/virus/trojan etc.
Thanks.Free/impartial debt advice: National Debtline | StepChange Debt Charity | Find your local CAB
IVA & fee charging DMP companies: Profits from misery, motivated ONLY by greed0 -
Posts from this thread:
https://forums.moneysavingexpert.com/discussion/2864252mintymoneysaver wrote: »I'm a bit concerned that today I've received an email addressed to my MSE name to my email address. I haven't got my email address on my contact information.
It's from 'moneyexpert' and gone to my spam folder but it just shows how much people can find out...Same here.
I've never signed up to emails from them, and there is no way they should have the email address they used. :undecidedI forwarded the one I received to abuse; I think this is a leak in the security of the site and should be addressed urgently.
MSE are definitely responsible for the security of the data they keep even if they can't police the boards to remove Facebook pictures etc. I seriously hope that this will not be the start of a flood of similar emails which will then address the size of my penis and suggest I help out a Nigerian prince by lending him my bank account
Well, I've had one to both of the email addresses I've used for this forum.
Also very concerning is that the emails do not have any link to the real site they claim to have come from, but DO have a link to a zip file to download claiming to be "Download "MoneyExpert News-Tool".
That has got to be hugely dodgy. I can't imagine any legitimate email doing that.
I'm going to post on the site feedback board with this I think.I noticed my email had a VAT registration number on the bottom so I googled it and came up with this. It seems to be a legitimate company that's sent out a mail shot to email addresses it's acquired from somewhere - can it be that MSE has sold our email addresses? This is the only site I've used my primary email address for since I wanted to sign up to the weekly email at the same time, and I always click the "no third party" sites.
May we have an explanation please?I've also had one, to an email address I use exclusively for this forum.
I am seriously unhappy. Either, MSE has sold out, or they've been hacked. :mad:
I suggest that we try to establish how many people are involved, and then hand the matter over to the information commissioners office, who can investigate, and if necessarily take legal action against both MSE and the spammers, as this is a clear breach of the data protection act.
@Martin, your immediate response on this is required - email me if you need further information.
Chris.Doesn't mean that it actually came from them. It's very easy to spoof the "from" address in an email.
Linking to a zip file download not hosted on MoneyExpert's site looks hugely dodgy.Free/impartial debt advice: National Debtline | StepChange Debt Charity | Find your local CAB
IVA & fee charging DMP companies: Profits from misery, motivated ONLY by greed0 -
-
Two received here and reported.0
-
Yup, I've had this too.
Are you for real? - Glass Half Empty??
:coffee:0 -
I own a domain name and get all emails sent to a different email address in Money Saving Expert case I get it sent to [EMAIL="moneysavingexpert.com@mydomainname.com"]moneysavingexpert.com@mydomainname.com[/EMAIL] this is so I can block emails once a company starts sending spam etc.
The email we all got this morning not only has MSE unique email address it also has my forum username.
What other information has MSE leaked/sold?0 -
I've got one as well -- there's something fishy on those there waters :eek::mad:0
-
Yup, me too, I think MSE must have been hacked.0
-
I got one too. I sent it to the webmaster (before reading this thread).
I am most concerned that a company that is not MSE has managed to link our email addresses and forum user names together. Most odd.
I assume Martin will be in touch! lol0 -
I also had one of these emails this morning, with the exact same text as that copied above. I hope this is resolvable - and a hack. I strongly doubt that MSE would intentionally give email addresses to an outside operator.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.5K Banking & Borrowing
- 252.9K Reduce Debt & Boost Income
- 453.3K Spending & Discounts
- 243.5K Work, Benefits & Business
- 598.2K Mortgages, Homes & Bills
- 176.7K Life & Family
- 256.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards